Google patches critical bug on Android Nexus 5X devices

Fahmida Y. Rashid |
Sept. 5, 2016

The vulnerability, which Google has patched, could let attackers obtain the password for locked Nexus 5X devices and easily access device contents

"The password can be found on the fetched memory dump. Physical attackers can then successfully boot the platform, which further allows them to impersonate the user, access data stored on the device and more," Hay said.

An attacker can still exploit the vulnerability even without having physical access to the device, by either infecting a developer's PC with malware or compromising a charging station. In the latter case, if a vulnerable Nexus connects to the compromised charging station, the user would have to authorize the charger once connected. At that point, the malicious code would issue the adb reboot bootloader command to target ADB while charging.

It's not clear at this point if the vulnerability was in LG's hardware, the way Android interacts with LG, or in Android itself. At the moment, the issue appears to be restricted to only the Nexus 5X devices with the specified Android images. But it reinforces the importance of having good security habits. Yes, turn on the screen lock.

This vulnerability is not an excuse to say "what's the point?" and stop locking the device. Don't get complacent, though. Instead of assuming that enabling the lockscreen is sufficient, continue being careful about where the device is so that it doesn't fall into wrong hands. Enable the remote wipe feature on Android so that if lost, the data saved on the device gets erased.

Good thing it was in the Nexus

Since Google handles the Android update cycle for Nexus devices directly and does not have to rely on manufacturers or carriers to prepare the patches, most Nexus 5X users will receive, or have already received. It's a good thing Google patched this vulnerability, but the issue again highlights the biggest problem with the Android ecosystem.

Thank goodness the flaw was in the Nexus 5X -- if IBM had uncovered the flaw in a non-Nexus device, Google would have patched the flaw as part of its Android Security Bulletin, but the fixes would have languished in carrier and manufacturer limbo. A year ago, when Google started releasing security fixes for Android on a monthly schedule, several mobile device manufacturers pledged to roll out the updates to users on a regular basis. The sad reality is that hasn't happened consistently across models, nor in a timely manner, for most devices in users' hands.

Only Nexus users or users updating their own devices with custom Android distributions (such as CyanogenMod) are the only ones benefiting from the Android Security Bulletins. It's a sad state of insecurity if we have to hope for a flaw such as this Nexus 5X vulnerability to be found across more devices and brands in order to finally get the Android update problem fixed once and for all.